Open main menu

CDOT Wiki β

Changes

OPS335 DNS Lab

2,876 bytes added, 22:31, 30 August 2011
no edit summary
OPEN SERVER ADMINISTRATION
 
Lab #03
 
FOCUS: Domain Name System
In this lab you will configure a Linux host to be a DNS server for the rest of the machines in your intranet. You'll use example.org as your domain with IP addresses in the range 192.168.X.1 - 192.168.X.254. The server will handle all queries for names in the example.org domain and all reverse lookups for addresses in the given range of local IP numbers. The server will pass DNS queries for other names and addresses out to the Internet (i.e. to Seneca's DNS server).
 
You're going to populate your server with the following records:
 
Fully Qualified Domain Name
IP Address
 
f13.example.org
192.168.X.1
 
vm01.example.org
192.168.X.2
 
vm02.example.org
192.168.X.3
 
vm03.example.org
192.168.X.4
 
NOTE: For those of you using Fedora 13 installed on one removable HD and used as a host for one or more guest VMs, X will default to 122. You need at least two machines to do this lab (one host and one guest). The first will be set up as your gateway/firewall and DNS server. The others will be client hosts inside the intranet.
 
Here's what your network will look like:
Part A: Perform these steps on your gateway/firewall/DNS machine.
Start up your Fedora 13 PC, login as joker, open a terminal window and "su -" to root. This PC will be f13. It will be your gateway/firewall as well as the domain name server for your intranet.
Ensure you are connected to the Internet. Use firefox to authenticate yourself so you can surf the web outside of the Seneca domain.
Use yum to update your system if necessary.
yum update
 
Use yum to install the DNS server.
 
yum install bind
 
Also start your ssh server.
 
service sshd start
Set your hostname to f13.
- OPS335 -hostname f13
OPEN SERVER ADMINISTRATIONSet your domainname to example.org. domainname example.org Edit the file /etc/named.conf and enter the following: But use your own X value where applicable. If no file exists, create one. If one is already there, delete it and make a new one. options { directory "/var/lib/named"; auth-nxdomain no; forwarders { 142.204.1.2; 142.204.43.43;};}; zone "localhost" { type master; file "localhost.zone";}; zone "X.168.192.in-addr.arpa" { type master; file "mydb-for-192-168-X";}; zone "example.org" { type master; file "mydb-for-example-dot-org";}; Make a new directory called 'named', like this mkdir /var/lib/named Now edit /var/lib/named/localhost.zone and enter the following: $TTL 604800@ IN SOA localhost. root.localhost. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ); Negative Cache TTL;@ IN NS localhost.@ IN A 127.0.0.1 Now edit /var/lib/named/mydb-for-example-dot-org and enter the following: But use your own X value where applicable. $TTL 604800@ IN SOA localhost. root.localhost. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ); Negative Cache TTL;@ IN NS localhost.f13 IN A 192.168.X.1vm01 IN A 192.168.X.2vm02 IN A 192.168.X.3vm03 IN A 192.168.X.4 Next, edit /var/lib/named/mydb-for-192-168-X and enter the following: $TTL 604800@ IN SOA localhost. root.localhost. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ); Negative Cache TTL;@ IN NS localhost.1 IN PTR f13.example.org2 IN PTR vm01.example.org3 IN PTR vm02.example.org4 IN PTR vm03.example.org Now set up your resolver to point to itself. Edit /etc/resolv.conf, delete what's there and enter this data instead. Remember to use your value for X. nameserver 192.168.X.1domain example.org Start your DNS server with the commandservice named start Check that your name server is running ps ax | grep named or service named status When starting or restarting your name server view the log file (/var/log/messages) to ensure it started without error. Try a few lookups: host f13.example.org host vm01.example.org host vm02.example.org host vm03.example.org host cbc.ca Now try a few reverse lookups: host 192.168.X.1 host 192.168.X.2 host 192.168.X.3 host 192.168.X.4 Part B: Perform these steps on your Intranet machine.Use virt-manager on Fedora 13 to install at least one VM called vm01. Feel free to install several more if you have time. Make sure the host name is set to vm01 and the domain is example.org. You may use vm01 from the previous lab if you wish.On this machine edit the /etc/resolv.conf file and enter the following: nameserver 192.168.X.1domain example.org Now try the commands host f13.example.org host vm01.example.org host vm02.example.org host vm03.example.org host yahoo.ca
Lab #02And the commands
FOCUS: Basic IP Tables host 192.168.X.1 host 192.168.X.2 host 192.168.X.3 host 192.168.X.4
In this lab Now, still on the second machine, try surfing the web with Firefox. NOTE: you will learn how should not need to use iptables to build a simple Linux firewallauthenticate yourself through SeneNet on this machine.
Part A: Building a Simple FirewallLogin as joker to Finally, on all machines in your Fedora 13 PCnetwork, experiment with the following commands. NOTE: It's not necessary Be sure to use a VM for this lab. Just use your original Fedora system created in lab #0.Open a terminal window several different command options to learn and "su -" to root.Disable your current firewallunderstand how they work. i.e. flush all rules in all chains in all tables.Now build a custom firewall by performing the following steps:
Add appropriate rule(s) to allow all traffic to/from the loopback 'lo' interface.Add a rule to the INPUT chain of the filter table to allow all UDP traffic coming from port 53. i.e. source port is 53.Add a rule to the INPUT chain of the filter table to allow all ESTABLISHED or RELATED incoming connections.hostCreate a new chain named MYSSH in the filter table.digAdd a rule to the INPUT chain of your filter table that sends all tcp packets with destination port 22 to your MYSSH chain.nslookupAdd a rule to your MYSSH chain to deny all traffic from 142.204.141.XXX (XXX is the PC beside you). Also log these denied packets with log level 'info'.Add a rule to the INPUT chain of the filter table that allows all new tcp ssh connections.Make a new chain named MYICMP in the filter table.Add a rule to your MYICMP chain that denies ICMP pings from 142.204.141.XXX (the PC beside you).Add a rule to your MYICMP chain that denies ICMP pings originating with MAC address of 11Part C:22:33:44:55:66 (NOTE: to test this you'll have to change the MAC address of the PC beside you with the ifconfig command).Add a rule to your MYICMP chain that allows ICMP pings from anywhere.Add a rule to the INPUT chain of Now answer the filter table to send ICMP ping packets to your MYICMP chain.Change the default policy on the INPUT chain in the filter table to DROP.Use nmap to scan your firewall from 142.204.141.XXX. If you don't have nmap on your system then install it.Use ping and ssh from 142.204.141.XXX (and elsewhere) to verify your firewall is working properly. Be sure to check the log file for your unsuccessful ssh attempts.Use iptables-save command to save your firewall rulesfollowing questions.
Part B: Answer the following questionsWhat is your full name and nine digit Seneca student ID?Show your firewall rules using the output of the Use iptables-save command.Show to show the results of your nmap scans from part Arules relating to DNS. Be sure to also Only show the exact nmap command you usedthese rules.Show the log records messages generated by when starting your invalid ssh attempts DNS server.What is a zone file and what is it used for?Name the zone files used in part Athis lab.What iptables rule would you need to add to your firewall to allow a maximum is the purpose of 3 concurrent ssh connections from 142/etc/nsswitch.204conf?What is the purpose of /etc/resolv.141conf?Under what circumstances does DNS use TCP vs UDP?What is meant by the term "negative cache"?Name 5 top level domains.XXX to your host?
1
edit